Suggestions for the future on your web site: (was cookies, and

Joe Greco jgreco at ns.sol.net
Thu Jan 24 16:43:26 UTC 2013


> Well, yes and no.  Lately, AFAICT, most CAPTCHAs have been so
> successfully attacked by wgetters that they're quite easy for machines

I wasn't aware that there was now a -breakCAPTCHA flag to wget.

The point I was making is that it's a defense against casual copying
of certain types of protected content and other stupid tricks that
used to go on.  Someone who has made a business out of copying web
sites and has arranged to defeat CAPTCHAs is not a casual attacker.

> to break, but difficult for humans to use.  For example, I can testify
> that I now fail about 25% of the reCAPTCHA challenges I perform,
> because the images are so distorted I just can't make them out (it's
> much worse on my mobile, given the combination if its small screen and
> my middle-aged eyes).

I agree that this problem has gotten worse; as time goes on, it 
seems likely that the computers will be able to read CAPTCHA's
(and then solve the new generation of CAPTCHA's) more easily than
many humans.

> So it's now more like airport security: a big hassle for the
> legitimate users but not really much of a barrier for a real
> attacker.  A poor trade-off.

Don't think we're quite there yet.  However, it is certainly moving in
that direction.

However, Ace Hardware still sells hook-and-eye latches, and that's 
something to think about.

One of the businesses we run here had a "problem"; the website had a
"contact us" page that had been recycled out of some script with 
changes to hardcode where mail went, which didn't stop some exploit
script from finding it and then trying to spam through it, which 
meant all their spam went to the company contact address.  The coder 
who maintained the website noted that only a particularly stupid 
spammer (or completely automated system of some sort) would try to 
exploit a script without bothering to check if the mail was being
delivered to victims, so he figured that the correct fix was to put 
a very simple CAPTCHA on it.

I was skeptical, since even five years ago I saw the effectiveness of
CAPTCHAs as being in severe decline, but you know what, he was right.
The CAPTCHA is VERY readable, even has ALT text so you can use it in 
your favorite text browser, because the point WASN'T to make it 
impossible (or even difficult) to abuse, but rather to address a 
particular problem.

It helps to keep your perspective on things.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.



More information about the NANOG mailing list